RPC server is unavaible

Discussion in 'DNS Server' started by HawleyBeach, Jan 16, 2007.

  1. HawleyBeach

    HawleyBeach Guest

    Hi,
    I have installed windows 2003 server at home and configured it as domain
    controller named contoso.com as per microsoft practice. The server is
    connected to a ASDL broadband router, i am hoping to add a client PC to this
    domain controller. Prior doing so, i did a dcdiag test and received error as
    below:

    C:\Documents and Settings\Administrator.GATEWAY>dcdiag

    Domain Controller Diagnosis

    Performing initial setup:
    [gateway] Directory Binding Error 1722:
    The RPC server is unavailable.
    This may limit some of the tests that can be performed.
    Done gathering initial info.

    Doing initial required tests

    Testing server: Default-First-Site-Name\GATEWAY
    Starting test: Connectivity
    [GATEWAY] DsBindWithSpnEx() failed with error 1722,
    The RPC server is unavailable..
    ......................... GATEWAY failed test Connectivity

    Doing primary tests

    Testing server: Default-First-Site-Name\GATEWAY
    Skipping all tests, because server GATEWAY is
    not responding to directory service requests

    Running partition tests on : ForestDnsZones
    Starting test: CrossRefValidation
    ......................... ForestDnsZones passed test
    CrossRefValidation

    Starting test: CheckSDRefDom
    ......................... ForestDnsZones passed test CheckSDRefDom

    Running partition tests on : DomainDnsZones
    Starting test: CrossRefValidation
    ......................... DomainDnsZones passed test
    CrossRefValidation

    Starting test: CheckSDRefDom
    ......................... DomainDnsZones passed test CheckSDRefDom

    Running partition tests on : Schema
    Starting test: CrossRefValidation
    ......................... Schema passed test CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... Schema passed test CheckSDRefDom

    Running partition tests on : Configuration
    Starting test: CrossRefValidation
    ......................... Configuration passed test
    CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... Configuration passed test CheckSDRefDom

    Running partition tests on : contoso
    Starting test: CrossRefValidation
    ......................... contoso passed test CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... contoso passed test CheckSDRefDom

    Running enterprise tests on : contoso.com
    Starting test: Intersite
    ......................... contoso.com passed test Intersite
    Starting test: FsmoCheck
    Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
    A Global Catalog Server could not be located - All GC's are down.
    Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
    A Time Server could not be located.
    The server holding the PDC role is down.
    Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
    135
    5
    A Good Time Server could not be located.
    Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
    A KDC could not be located - All the KDCs are down.
    ......................... contoso.com failed test FsmoCheck

    the outcome of ipconfig /all on this server (domain controller) as below:

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : gateway
    Primary Dns Suffix . . . . . . . : contoso.com
    Node Type . . . . . . . . . . . . : Unknown
    IP Routing Enabled. . . . . . . . : Yes
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : contoso.com

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : NETGEAR FA311/FA312 PCI Adapter
    Physical Address. . . . . . . . . : 00-0F-B5-FE-6A-D1
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.1.200
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.1.254
    DNS Servers . . . . . . . . . . . : 127.0.0.1

    I also have a look into event viewer on domain controller, i get this error:
    Event Type: Error
    Event Source: Userenv
    Event Category: None
    Event ID: 1054
    Date: 16/01/2007
    Time: 2:36:09 PM
    User: NT AUTHORITY\SYSTEM
    Computer: GATEWAY
    Description:
    Windows cannot obtain the domain controller name for your computer network.
    (The specified domain either does not exist or could not be contacted. ).
    Group Policy processing aborted.

    Client PC is able to ping to this server and vice versa, but not able to
    join to contoso.com domain.
    I have also checked nslookup on domain controller as below:
    C:\Documents and Settings\Administrator.GATEWAY>nslookup
    Default Server: localhost
    Address: 127.0.0.1
    Server: localhost
    Address: 127.0.0.1

    _ldap._tcp.contoso.com SRV service location:
    priority = 0
    weight = 100
    port = 389
    svr hostname = gateway.contoso.com
    gateway.contoso.com internet address = 192.168.1.200i have also make sure DHCP Server service is enabled. But added authorised
    server to DHCP always not connected and showerror "cannot find the DHCP
    server"

    Please help... :'(
     
    HawleyBeach, Jan 16, 2007
    #1
    1. Advertisements

  2. HawleyBeach

    Herb Martin Guest

    What specifically did you configure "per Microsoft practice"?
    (When you say such things we don't have a clue what you did.)
    Chances are you didn't chose to install the DNS Server, or make
    the DNS zone (for the domain), or make it dynamic, or you didn't
    set the DC to use STRICTLY the DNS server which holds that
    zone which supports AD.

    You might have done this by making the DC a "DHCP client" and
    getting its IP settings (with DNS) automatically.

    [I am pretty sure I answered this exact question for you several days
    ago too.]

    You are likely to have a lot of trouble if you try run two NICs in
    the DCs -- most people here recommend that you never multihome
    DCs. It CAN be done successfully but it requires a lot of knowledge
    and careful understaning and attention.

    The Client as well must point STRICTLY to the internal DNS server
    on the NIC->IP properties.

    You will generally configure the DNS server for FORWARD (server
    properties->Forwarding tab) to the Gateway or ISP address you
    WOULD have used if you didn't have a domain or other internal
    resources defined on an internal DNS server.
     
    Herb Martin, Jan 16, 2007
    #2
    1. Advertisements

  3. HawleyBeach

    HawleyBeach Guest

    Hi Martin,
    Sorry for the confusion, I am attempting the practice in 70-290 ms press
    training kit to join a client to domain. However, i do not have much
    experience in networking to resolve this problem.
    I have checked DNS server service is started, I can see that DNS zone is
    automatically configured when i use Active Directory installation wizard to
    create the domain, the setting of DNS zone is as shown:
    http://i132.photobucket.com/albums/q11/plee61/DNS.jpg. I am not sure how to
    examine if the DNS zone is configured as dynamic.
    On domain controller, I have already fixed the IP and DNS server address on
    TCPIP setting as shown:
    http://i132.photobucket.com/albums/q11/plee61/TCPIP.jpg
    I have only one NIC. When i go to control panel->network connections i can
    only see local area connection.
    I have already set the DNS server address of the client pointing to IP of
    Domain controller. I am able to ping from client to DC and vice versa. When i
    type ping contoso.com on client, i am getting the IP of DC.
    Do you mean the forwarder tab when i right click on the DNS server in DNS
    MMC? If so, is the configuration correct as shown:
    http://i132.photobucket.com/albums/q11/plee61/DNS.jpg

    i ran dcdiag on domain controller again, i still get Directory Binding Error
    1722:
    The RPC server is unavailable.
    Thanks for your help.
     
    HawleyBeach, Jan 16, 2007
    #3
  4. HawleyBeach

    Herb Martin Guest

    No apologizies necessary and I won't apologize for correcting your
    Likely DNS services is correct since the _UNDERSCORE subdomains are there
    but you have a multi-homed DC which is DIFFICULT to get correct -- most
    people will tell you flat out "don't do that" but I am bit more flexible.

    For these settings the picture is a POOR choice; what I need is the
    ACTUAL TEXT from running "IPConfig /all >File.txt".

    Then I can see all of the IPs and DNS settings etc.

    You are going to have to override (at a minimum) the DNS server
    on those external NICs to point to ONLY your internal DNS if
    this is a DC (or even a member machine.) Otherwise the machine
    will -- sometimes -- go out to the Internet looking for internal DNS
    and fail.
    Ok, but if you show me "IPconfig /all" I will see that too.

    I see THREE IP address that this DNS server is "listening on" -- they
    are in multiple subnets too so they stronly IMPLY multiple NICs but
    don't guarantee that.

    Why three IPs for this machine if it has one NIC? (Sometimes makes sense
    but it is an advanced idea and you said you were new <grin>).

    Also you named it "GATEWAY" which again strongly IMPLIES that it is
    a multi-homed router. Why is it named GATEWAY? (It can be named
    Good, but this is a minimum. You must also NOT set anything that is an
    EXTERNAL DNS.

    Same goes for the DC as I mentioned above - DCs are internal DNS clients
    too.
    Looks like you pasted same picture as you used for the Zone instead
    of the Forwarder picture. (This another one that really requires the
    picture but you don't really need me to look -- just fill in the ISP
    DNS server there and optionally select "Do Not user recursion.")

    Likely the CLIENT DNS Settings ON THE DC are still wrong but I need
    that "IPConfig /all >file.txt".
    Sure. We like helping people who are trying to learn.
     
    Herb Martin, Jan 16, 2007
    #4
  5. HawleyBeach

    HawleyBeach Guest

    I have checked DNS server service is started, I can see that DNS zone is
    What do you mean multi-homed DC and how do you tell ? Should i better fix it
    so that it is not multi-homed DC?
    Windows IP Configuration ON DOMAIN CONTROLLER

    Host Name . . . . . . . . . . . . : gateway
    Primary Dns Suffix . . . . . . . : contoso.com
    Node Type . . . . . . . . . . . . : Unknown
    IP Routing Enabled. . . . . . . . : Yes
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : contoso.com

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : NETGEAR FA311/FA312 PCI Adapter
    Physical Address. . . . . . . . . : 00-0F-B5-FE-6A-D1
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.1.200
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.1.254
    DNS Servers . . . . . . . . . . . : 127.0.0.1
    based on the ipconfig /all above, is the DNS server overriden correctly? If
    no, where do i override external NIC as you mentioned with internal DNS?
    OK, should i remove ISP DNS address on DNS MMC (forwarder tab) and use only
    internal DNS Server address?
    I didn't know GATEWAY is used in TCPIP setting when i install Wins 2003 on
    this computer ;-)

    done, please have a look configuration on forwarders and interface:
    http://i132.photobucket.com/albums/q11/plee61/forwarder.jpg
    already attached IPConfig /all above.
     
    HawleyBeach, Jan 17, 2007
    #5
  6. HawleyBeach

    Herb Martin Guest

    Just a term for a DC with more than one Network Interface (or NIC).

    Some people use it for multiple IP addresses but that is a poor use of
    the term.
    It's a ROUTER which again implies, practically guarantees it has
    multiple NICs but you only show on NIC below:
    That's good since this server is the DNS server -- it is using itself.

    Wasn't there another NETWORK INTERFACE?

    Why is this machine a router?
    You good based on the above.

    No. THAT is where the ISP DNS is SUPPOSED to be entered;
    but it must be NOT be entered on the NIC->IP properties among
    the internal DNS entries, or instead of them.

    Do you see why? (Rather than just memorize what I am telling you.)

    Does it mean the Vendor, as in Gateway Computers <grin> ????



    That looks right NOW -- you previously had the ISP DNS listed on
    the INTERFACES instead of the Forwarders and this made me think
    you had 3 IP addresses for this one server which implied multiple NICs
    as well.
    Looks ok.

    Check you zone properties to ensure it is really (still) set to ALLOW
    DYNAMIC Updates (Secure only is best, but No is wrong.)

    Start and stop the "NetLogon" service (from command prompt):

    net stop NetLogon
    net start NetLogon

    If you have "NetDiag" run "NetDIAG /fix".

    Then run DCDiag again.
     
    Herb Martin, Jan 17, 2007
    #6
  7. HawleyBeach

    HawleyBeach Guest

    Hi Martin,

    At this point on Domain controller, i have configured a fixed IP on TCPIP
    setting and set the DNS Server address on NIC pointing to the same IP,
    therefore making the DNS server internal.
    I added primary and secondary DNS servers provided by ISP (external) to the
    list of DNS MMC -> DNS Server -> property -> forwarder tab so that all DNS
    queries that cannot be answered by internal DNS server will be forwarded to
    the external DNS.

    DNS Server addresses on TCPIP setting should not be set with external DNS
    addresses to make sure all DNS queries are attended internally first. Am i
    right?

    Interface tab on DNS MMC -> DNS server -> property should always have the
    same IP setting as DNS Server address on TCPIP. Am i right? If yes, what is
    the purpose of having Interface tab?

    Before i stop/start net logon, i added Internal and both external DNS server
    addresses to trust on ZoneAlarm firewall. Then i stop, start net logon,
    netdiag /fix. Below is the result of dcdiag i ran lastly, the Initial error
    1722 RPC Server unavailable is resolved but fail test on netlogon access
    denied etc:

    C:\Documents and Settings\Administrator.GATEWAY>dcdiag

    Domain Controller Diagnosis

    Performing initial setup:
    Done gathering initial info.

    Doing initial required tests

    Testing server: Default-First-Site-Name\GATEWAY
    Starting test: Connectivity
    ......................... GATEWAY passed test Connectivity

    Doing primary tests

    Testing server: Default-First-Site-Name\GATEWAY
    Starting test: Replications
    ......................... GATEWAY passed test Replications
    Starting test: NCSecDesc
    ......................... GATEWAY passed test NCSecDesc
    Starting test: NetLogons
    [GATEWAY] An net use or LsaPolicy operation failed with error 5,
    Access
    is denied..
    ......................... GATEWAY failed test NetLogons
    Starting test: Advertising
    ......................... GATEWAY passed test Advertising
    Starting test: KnowsOfRoleHolders
    ......................... GATEWAY passed test KnowsOfRoleHolders
    Starting test: RidManager
    ......................... GATEWAY passed test RidManager
    Starting test: MachineAccount
    Could not open pipe with [GATEWAY]:failed with 5: Access is denied.
    Could not get NetBIOSDomainName
    Failed can not test for HOST SPN
    Failed can not test for HOST SPN
    * Missing SPN :(null)
    * Missing SPN :(null)
    ......................... GATEWAY failed test MachineAccount
    Starting test: Services
    Could not open Remote ipc to [GATEWAY]:failed with 5: Access is
    denied.

    ......................... GATEWAY failed test Services
    Starting test: ObjectsReplicated
    ......................... GATEWAY passed test ObjectsReplicated
    Starting test: frssysvol
    [GATEWAY] An net use or LsaPolicy operation failed with error 5,
    Access
    is denied..
    ......................... GATEWAY failed test frssysvol
    Starting test: frsevent
    ......................... GATEWAY failed test frsevent
    Starting test: kccevent
    Failed to enumerate event log records, error Access is denied.
    ......................... GATEWAY failed test kccevent
    Starting test: systemlog
    Failed to enumerate event log records, error Access is denied.
    ......................... GATEWAY failed test systemlog
    Starting test: VerifyReferences
    ......................... GATEWAY passed test VerifyReferences

    Running partition tests on : ForestDnsZones
    Starting test: CrossRefValidation
    ......................... ForestDnsZones passed test
    CrossRefValidation

    Starting test: CheckSDRefDom
    ......................... ForestDnsZones passed test CheckSDRefDom

    Running partition tests on : DomainDnsZones
    Starting test: CrossRefValidation
    ......................... DomainDnsZones passed test
    CrossRefValidation

    Starting test: CheckSDRefDom
    ......................... DomainDnsZones passed test CheckSDRefDom

    Running partition tests on : Schema
    Starting test: CrossRefValidation
    ......................... Schema passed test CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... Schema passed test CheckSDRefDom

    Running partition tests on : Configuration
    Starting test: CrossRefValidation
    ......................... Configuration passed test
    CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... Configuration passed test CheckSDRefDom

    Running partition tests on : contoso
    Starting test: CrossRefValidation
    ......................... contoso passed test CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... contoso passed test CheckSDRefDom

    Running enterprise tests on : contoso.com
    Starting test: Intersite
    ......................... contoso.com passed test Intersite
    Starting test: FsmoCheck
    ......................... contoso.com passed test FsmoCheck

    C:\Documents and Settings\Administrator.GATEWAY>
     
    HawleyBeach, Jan 17, 2007
    #7
  8. HawleyBeach

    Herb Martin Guest

    That's all correct

    (Techical terms though: Those ISP DNS servers are called "Preferred and
    Alternates" as Primary and Secondary are technical terms which ONLY apply
    to a specific zone and not the job of forwarding or the way a client uses
    DNS.)
    Exactly. All internal machiens including especially DCs and other servers
    too.
    Yes, or 127.0.0.1 is ok most of the time too (like you had that last time.)
    For (true) multihome where you only want the DNS server to answer on
    (some) IP addresses, e.g., inside but not external queries, or vice versa,
    but
    not both.
    Trust them only on port 53 UDP AND TCP.

    This is your first mention of Zone Alarm -- or I would have warned you
    early there are MANY things a DC must allow to service clients. You can
    use the ZoneAlarm warnings to figure out most of this or you can try to
    set it from the KB articles on the MS website.

    [Personally I hate trying to get ZA to work on a DC.]

    Search for Google for something like:

    [ microsoft: firewall ports open DC | "Domain Controller" ]

    or

    [ site:microsoft.com firewall ports open DC | "Domain Controller" ]

    Or tell me and I will find it for you.
    You are getting closer but you have more stuff to open for internal
    machines.

    UDP 88, 138, 139,
    TCP 135, TCP 445,
    Both 53, 389,

    Probably some more; these are just off the top of my head -- mostly
    you need to

    Probably easiest to just trust everything on your INTERNAL net range.
     
    Herb Martin, Jan 17, 2007
    #8
  9. HawleyBeach

    HawleyBeach Guest

    Hi Martin,
    Just by accident, i thought opening firewall to let access to external DNS
    servers (not too bad huh ;-) )
    I have found this web site http://support.microsoft.com/kb/179442 on how to
    configure a firewall for DC. But i am not sure how to fit in port, UDP, TCP
    to zonealarm trust setting? On the ZoneAlarm, i can add trust by IP / Subnet/
    IP range / Host as shown but they don't seem to fit in with UDP/ TCP etc:
    http://i132.photobucket.com/albums/q11/plee61/ZoneAlarm.jpg

     
    HawleyBeach, Jan 17, 2007
    #9
  10. HawleyBeach

    Herb Martin Guest

    If you look around (I haven't used ZA in years) you will find there
    are more advanced settings for the individual protocols/ports/services
    (all mean pretty much the same thing in THIS context) as well as general
    settings for trusting an ENTIRE address or range.

    Let's say you had a server on the Internet that did JUST Web services
    using default settings and NO SSL (https).

    It would ONLY need to accept connections on port TCP 80 (default for
    HTTP) but it would need to trust the ENTIRE world (or most of it
    anyway) on that port.

    Were you to add a trust range for all machines the firewall would then be
    useless, but if you only opened TCP Port 80 it would still let web services
    be use (by everyone) but nothing else.

    More complicated schemes might require you to open RDP from a (small)
    range of machines so you could use Remote Desktop or Terminal Services
    to admin this box. You wouldn't want to let just anyone (try to) connect to
    your Remote Desktop but you would need to make an exception for your
    own range of machines.

    Make sense?

    You can filter (firewall is a form of filtering) on Source and Destination
    Ports for both TCP & UDP, as well as Source and Destination addresses,
    (or combos of both) with more decent firewall software including ZA.

    Some filtering schemes let you filter on other things (like other protocols
    ICMP, or even data in the packets) but that isn't the issue here.

    TCP and UDP both use ports to represent particular services -- typically
    only ONE web services can "listen" on "Port 80".

    The analogy is this:

    You IP is like a (large) company main switchboard phone number, and the
    Port is likethe EXTENSION within that companies phone system.

    So to contact a unique service ANYWHERE on the Internet you must
    know the IP Address (already unique to the machine) and the Port
    number (unique to A SERVICE on that machine.)

    It is slightly complicated by the distinction of UDP has ports and TCP
    has ports and these are technically unrelated -- even though a few
    services like DNS use both and typically use the same number for
    both TCP and UDP even though they are distinct.

    So to be accurate:
    To contact a unique service ANYWHERE on the Internet you must
    know the IP Address (already unique to the machine) and the Protocol
    and Port number (unique to A SERVICE on that machine.)

    Default ports however are built into the various networking clients which
    then expect "their" services to run on those ports; this prevents ordinary
    users from generally having to deal with port issues.

    You've probably seen a URL like this:

    http://www.domain.com:8000

    ....that is a web service (PROBABLY) that is running on the NON-default
    port of 8000 so someone (user, link etc) must tell the web client to
    contact the server on that port instead of port 80.
     
    Herb Martin, Jan 17, 2007
    #10
  11. HawleyBeach

    HawleyBeach Guest

    Hi Martin,
    Thanks for the analogy of ports.

    Unfortunately, the version of ZoneAlarm i have doesn't come with custom
    setting for ports. I was trying out ISA server but encounter error (related
    to domain controller) during installation. Beside, is ISA server 2006 the
    right solution as a firewall?

    Another question is, do i have to add an authorised server on DHCP MMC?

    Thanks
     
    HawleyBeach, Jan 18, 2007
    #11
  12. HawleyBeach

    Herb Martin Guest

    Generally it is a good solutions for a "Router/NAT firewall" not for a
    "personal" or "machine specific" firewall like a DC needs.

    A DC really should not be a router, nor should it be directly on the
    Internet -- the firewall (ISA, hardware, etc) for the router should be
    on a separate box.

    There is a a "BASIC/Firewall" in the RRAS component of the Server
    product. You can use that; it is simple and probably sufficient IF you
    keep this server behind a hardware firewall and take very good care
    of it.
    Last I checked: No, but you SHOULD authorize the DHCP server and then
    they will ALL (running the Windows Server version) will require
    authorization.

    Authorizing the FIRST one will protect your from "rogue" DHCP servers
    running on Windows Server (but not XP, 95, hardware, NT, Linux, etc.)
     
    Herb Martin, Jan 18, 2007
    #12
  13. HawleyBeach

    HawleyBeach Guest

    Hi Martin,
    IPCONFIG /All shows that Enabled IP Routing is turned on, should i turn it
    off (using registry)?
    I have enabled RRAS with NAT/ Basic Firewall. As shown in the screen shot
    http://i132.photobucket.com/albums/q11/plee61/RRAS.jpg
    i have added some ports in Local Area connection interface. There is one
    problem with private address on "Edit Server" tab, i am forced to enter a
    valid IP, if i leave the private address blank or with 0.0.0.0 i will get
    error 'invalid private address'.
    Please advice if the configuration for opening these ports are correct.

    Since i have enabled RRAS, does it mean i have enabled routing on this DC?
    I have enabled DHCP server as
    shown:http://i132.photobucket.com/albums/q11/plee61/DHCP.jpg
    What do you mean the FIRST one? i have only one DHCP that is
    gateway.contoso.com and is it not suppose to run on this Windows Server?

    Having done all, i shutdown ZA and reboot server. Restart, ran dcdiag but
    still get the same error with access denied on net logon:
    Testing server: Default-First-Site-Name\GATEWAY
    Starting test: Replications
    ......................... GATEWAY passed test Replications
    Starting test: NCSecDesc
    ......................... GATEWAY passed test NCSecDesc
    Starting test: NetLogons
    [GATEWAY] An net use or LsaPolicy operation failed with error 5,
    Access
    is denied..
    ......................... GATEWAY failed test NetLogons
    Starting test: Advertising
    ......................... GATEWAY passed test Advertising
    Starting test: KnowsOfRoleHolders
    ......................... GATEWAY passed test KnowsOfRoleHolders
    Starting test: RidManager
    ......................... GATEWAY passed test RidManager
    Starting test: MachineAccount
    Could not open pipe with [GATEWAY]:failed with 5: Access is denied.
    Could not get NetBIOSDomainName
    Failed can not test for HOST SPN
    Failed can not test for HOST SPN
    * Missing SPN :(null)
    * Missing SPN :(null)
    ......................... GATEWAY failed test MachineAccount
    Starting test: Services
    Could not open Remote ipc to [GATEWAY]:failed with 5: Access is
    denied.

    ......................... GATEWAY failed test Services
    Starting test: ObjectsReplicated
    ......................... GATEWAY passed test ObjectsReplicated
    Starting test: frssysvol
    [GATEWAY] An net use or LsaPolicy operation failed with error 5,
    Access
    is denied..
    ......................... GATEWAY failed test frssysvol
    Starting test: frsevent
    ......................... GATEWAY failed test frsevent
    Starting test: kccevent
    Failed to enumerate event log records, error Access is denied.
    ......................... GATEWAY failed test kccevent
    Starting test: systemlog
    Failed to enumerate event log records, error Access is denied.
    ......................... GATEWAY failed test systemlog
    Starting test: VerifyReferences
    ......................... GATEWAY passed test VerifyReferences

    On event viewer, error on Group policy related:
    Event Type: Error
    Event Source: Userenv
    Event Category: None
    Event ID: 1030
    Date: 19/01/2007
    Time: 3:27:23 PM
    User: NT AUTHORITY\SYSTEM
    Computer: GATEWAY
    Description:
    Windows cannot query for the list of Group Policy objects. Check the event
    log for possible messages previously logged by the policy engine that
    describes the reason for this.

    Many thanks to your patience!
     
    HawleyBeach, Jan 19, 2007
    #13
  14. HawleyBeach

    Herb Martin Guest

    Not if this is the machine which is sharing the Internet with the other
    machine(s).
    Private address must be in the same range as your other machine(s).

    192.168.16.1 is good for the gateway/Router with .2, .3 etc as you
    add more machines.

    OR just use whatever network range you were already using.
    Yes (the way you did it.)

    Internet -- DC/as Router-- other machines
    Then it is (by definition) the FIRST one <grin>

    If you are using DHCP give you Router an address from the same
    range (but exclude that from the DHCP so it won't give the number
    out again.)
    Did you DISABLE ZA and/or remove it? Shutting it down means it will
    turn on again at next boot.
     
    Herb Martin, Jan 19, 2007
    #14
  15. Read inline,
    In
    If the server is behind a router, the only component in RRAS you would
    install is RAS, you would not install NAT, or the firewall in NAT, unless
    you open all the ports needed for file sharing and AD communication. Make
    sure no packet filters are enabled.
    Running DHCP on the Windows Server is fine, the problem I see here is that
    the DHCP scope is out of the server's subnet, your server's subnet is
    192.168.1.0/24 and the scope is 192.168.0.0/24, and there is no NIC on the
    server in this subnet, you would have to add a static route on your router,
    pointing back to the DC as it gateway, all of this would seem to be
    unworkable because the server is only single-homed.
    ZoneAlarm does not aways properly uninstall, check with the ZA website for
    instructions on making sure all ZA components get uninstalled.



    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    Send IM: http://www.icq.com/people/webmsg.php?to=296095728
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    http://message.wftx.us/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Jan 19, 2007
    #15
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.